The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
3. ○ Jason Lang
○ Sr Security Consultant at TrustedSec
○ Red team, trolling, shennanigans
○ Twitter: @curi0usJack
○ Hobbies: woodworking, bee keeping
About
4. Goals
○ To give you an unrestricted look at one red
teamer’s (consultant) methodology, including
core principals.
○ To foster learning by example (and failure)
○ To drop some handy stuff. :-)
5. Red Team Target Maturity
Vuln scan
External
pentest
Internal
pentest
Purple
Team(s)
Red team /
ATT&CK
Non-scoped
long term /
AdSims
Patch
Management
Network
Controls /
Admin Rights
Configured
Endpoint
/EDRs
Centralized
Logging
Finely tuned
Alerting and
Response
Threat
Hunting
Thanks @Contra_BlueTeam!
6. Red Team Target Maturity
Vuln scan
External
pentest
Internal
pentest
Purple
Team(s)
Red team /
ATT&CK
Non-scoped
long term /
AdSims
Patch
Management
Network
Controls /
Admin Rights
Configured
Endpoint
/EDRs
Centralized
Logging
Finely tuned
Alerting and
Response
Threat
Hunting
Thanks @Contra_BlueTeam!
7. Red Team Key Difference
Ability to slow your roll
9. Internal
Staying Stealthy
SE
Tips to keep you getting
shellz
Reporting
Lorem ipsum dolor sit
ugh, Microsoft Word
Pre-gig
Initial steps, OSINT, &
Recon
External
Required Reading
Talk Agenda
10. My Red Team Core Principals
○ Adversary simulation, not emulation.
○ Goal is specific data, trophy systems, or apps. Not DA
(unless DA a trophy, which it shouldn’t be).
○ Emphasize stealth over speed.
○ Active defense should be encouraged, to a point. Goal isn’t
to “win” (either red or blue).
○ Scope should be as open as possible, including physical.
○ There should always be a “tip your hand” moment.
12. Core Principals: Pre-Gig
○ Steer client towards as open a scope as possible.
○ Clearly define what *can* be done vs what *will* be done.
○ Set an assumed breach target date.
○ Ask for their user password policy, specifically: Lockout
Threshold, Lockout Duration, Lockout Observation Window.
13. Question
When does a red team engagement start?
Answer: The minute you get the assignment email.
14. LinkedIn - It’s The Best
○ You should must have a recon
account by now
○ Set a repeating task to add
connections
○ Easy to scrape
15. LinkedIn - Build It Fast
1. Build a decent profile. Be thorough.
Be sure to add colleges/organization.
2. Click “My Network”
3. Scroll way down to fill the page
4. Run in Browser dev tools
$("[data-control-name*='invite']").each(function(index) { $(this).trigger('click'); })
Thanks @mandreko & @Glitch1101!
16. Domains
○ Aged for months ahead of time
○ Reusable if possible.
○ clientname-portal.com is not ok. client.health-portal.com is.
○ Careful though, Cert transparency logs….
○ C2 & Phish domains never overlap!
○ Submit domains with PA, BlueCoat, Checkpoint, McAfee
○ Magic categories: Health, Financial, Goverment
17. Domains
1. Determine the sensitive traffic that must not be decrypted: Best practice
dictates that you decrypt all traffic except that in sensitive categories, such as
Health, Finance, Government, Military and Shopping.
https://blog.paloaltonetworks.com/2018/11/best-practices-enabling-ssl-decryption/
Palo Alto SSL Decryption Best Practices
18. Passive Recon - How I Do It
○ hardcidr to get external ranges
○ amass with shodan/censys keys (wait for Black Friday)
○ https://crt.sh for cert transparency (crtsh-parse.py)
○ Metadata searching with pymeta
○ Github searching with trufflehog, reposcanner, Google
○ Authenticated LinkedIn scraping for contacts (LinkedInt by
@vysecurity)
○ Dorks for everything else
Tool names in red. All on Github
20. Breach Data
○ Treasure trove of info:
○ Email format
○ Password format
○ New user passwords (group by count)?
○ Good place to start:
○ https://thepiratebay.org/torrent/22590240/Leaked_Databases
22. Core Principals: External
○ Brute AD from external, and always through a VPN.
○ Do your due diligence, but web app testing usually isn’t the
focus (and quite possibly outside your discipline/expertise).
○ Make liberal use of credential stuffing. It works.
23. Active Recon - How I Do It
★aquatone for website screen grabs
★dirsearch for HTTP dir-bruting
★nmap for top port tcp/udp sweeps
‣ Proxies may require full TCP connect (-sT)
‣ nmap default UA: Mozilla/5.0 (compatible; Nmap Scripting Engine);
http://nmap.org/book/nse.html
Tool names in red. Blue Stars == Proxy/VPN
27. Core Principals: SE
○ Phishing:
○ 5 addresses max at a time, all bcc’d, with 15 mins between
sends. Send from O365.
○ Links, not attachments.
○ Never a worry from Proofpoint.
○ Lead off with your latest tradecraft and downgrade as you get a
feel for the environment. Don’t abuse your TTPs.
○ Eventually pivot to assumed breach (about 50% way through)
28. Infr. Automation with Ansible
○ Ansible is an open source platform that automates software
provisioning, config mgmt & app deployement
○ It uses YAML files (.yml) to express gruops of commands
called tasks.
○ All tasks are executed on a target server using SSH +
Python. No agents required!
○ Modules make up the bulk of functionality, allowing a
variety of tasks like copying files, service management, etc
36. Azure Information Protection (AIP)
○ Leverages O365’s RMS to encrypt Office document to
*specific recipients*
○ Impossible for defenders/sandboxes to evaluate the
attachment without the user’s credentials. muahaha
○ Does not require your target have O365
https://blog.atwork.at/post/2018/02/18/Azure-information-protection-user-experience-with-external-users
43. Core Principals: Internal
○ Prioritize: cookies, bookmarks, file shares, SharePoint.
○ Kerberoast single users only, no less than one hour apart (at
minimum). Research before hand.
○ Initial landing callback of 5-30 minutes, depending on engagement
time & sophistication of defenses.
○ Test all commands in your lab before firing live. Duplicate defenses if
possible.
44. Lab Environment
○ Internal lab is *required*
○ MSDN license
○ Splunk dev license
○ Used Dell R710 (ebay, ~$500)
○ Full AD forest
○ Sysmon/Defender -> Splunk
○ Splunk ThreatHunting App by
@olafhartong
45.
46. Tools/Tactics
(*) == heavily modified
○ What I almost never use:
○ CrackMapExec, internal bruting, PowerSploit
○ What I sometimes use:
○ Bloodhound, MSF aux mods, mimikatz*, Cobalt Strike*
○ What I always use:
○ proxychains, SOCKS, impacket*, ldapsearch, kerberos
manipulation, /dirkjanm.io/*.*
49. wmiexec.py
index=windows EventCode=4688
`comment("impacket/wmiexec.py commands")`
(Process_Command_Line=*127.0.0.1* AND (Process_Command_Line="*ADMIN$*"
OR Process_Command_Line="*C$*"))
`comment("impacket/smbexec.py commands")`
OR (Process_Command_Line="*execute.bat*" AND Process_Command_Line=“*Temp__output*")
`comment("impacket/secretsdump.py")`
OR (Creator_Process_Name="*services.exe" AND New_Process_Name="*svchost.exe"
AND Process_Command_Line="*RemoteRegistry")
`comment("impacket/atexec.py")`
OR (Process_Command_Line="cmd*C:WindowsTemp*.tmp 2>&1”)
| table _time host Process_Command_Line
| sort _time desc
51. Lowpriv - Chrome
○ If you don’t want to fire mimikatz in the target’s memory:
○ Save off the Cookies/Login Data files
○ Acquire the user’s password
○ Follow steps here for decrypting user DPAPI keys to then
decrypt Chrome files
○ https://www.harmj0y.net/blog/redteaming/operational-guidance-for-
offensive-user-dpapi-abuse/
52. Persistence & Movement
○ site:hexacorn.com inurl:blog intitle:beyond HKCU
○ COM/DLL Hijacking
○ Procmon is your best friend
○ Use a COM Proxy so you don’t fubar the target
https://adapt-and-attack.com/2019/08/29/proxying-com-for-stable-hijacks/
Thanks @leoloobeek!
○ Blend. In.
61. Core Principals: Communication/Reporting
○ Status Updates: Use “selective caution” when sharing.
○ Full walkthrough/narrative must be included in the report!
○ Findings: Less in number, better in quality. No SSL v2 nonsense
unless you actually did something with it.
○ Consultants: Offer multiple follow up calls with defense team. These
are *the best*.